If you're self-hosting email — whether on Postfix, Mailcow, iRedMail, or Exchange — you already know that raw SMTP exposure is a bad time. Spam, phishing, and malware-laden attachments will hammer your inbox within hours of going live. Proxmox Mail Gateway 9 is a purpose-built, open-source email security proxy that sits in front of your mail server and filters the junk before it ever arrives. Version 9.0 dropped in early 2026, and with Proxmox VE 9 now out as well, there's never been a better time to add PMG to your homelab or production stack.

This guide walks you through deploying PMG 9 as a VM on Proxmox VE, configuring it as your MX entry point, and tuning the spam and virus filters so your mail server only sees clean traffic.

What Proxmox Mail Gateway Actually Does

PMG is an SMTP proxy, not a mail server. It receives inbound email on port 25, runs it through a multi-layer filtering pipeline, and then relays clean messages to your real mail server on your internal network. Outbound mail can optionally pass through PMG as well for policy enforcement and disclaimers.

The filtering stack includes:

• SpamAssassin — rule-based spam scoring with Bayesian learning
• ClamAV — open-source antivirus engine with automatic signature updates
• Greylist — temporary rejection of unknown senders (kills most bot spam)
• SPF, DKIM, and DMARC validation — authentication checks built in
• Custom rule engine — regex-based content, sender, and attachment rules

PMG 9 adds a refreshed UI, updated Debian Bookworm base, and improved cluster sync. If you're upgrading from PMG 8, the process mirrors the PVE 8→9 upgrade (apt-based, in-place).

Prerequisites

Before you start, make sure you have:

• Proxmox VE 7.x or 8.x/9.x host with at least 2GB RAM and 2 vCPUs to spare
• A registered domain with DNS control (you'll be changing your MX record)
• An existing mail server on your network (Mailcow, iRedMail, Postfix, Exchange, etc.)
• A static IP or stable DDNS for the PMG VM
• Port 25 open inbound at your firewall/router (and currently pointed at your mail server)

Download the PMG 9 ISO from the official Proxmox downloads page. It's a ~1GB ISO that you'll upload to your Proxmox ISO storage.

Creating the PMG VM

PMG is distributed as a bare-metal installer (same as PVE itself), so you install it fresh rather than deploying it inside an existing OS.

VM Specs

For a homelab or small business handling a few hundred mailboxes, these specs work well:

• CPU: 2 vCPUs (4 if you have them)
• RAM: 2GB minimum, 4GB recommended
• Disk: 32GB minimum — logs and quarantine fill up fast, 64GB is safer
• Network: One NIC on your LAN bridge (or a DMZ VLAN if you have one)

In the Proxmox UI, create a new VM:

1. Select your PMG 9 ISO as the install media
2. Guest OS: Linux, kernel 6.x
3. SCSI disk with VirtIO-SCSI controller (better performance than IDE)
4. At least 2048MB RAM
5. Network model: VirtIO on your LAN bridge

Boot the VM and run through the PMG installer. It's nearly identical to the PVE installer — set hostname, root password, IP address, gateway, and DNS. Use a dedicated IP that you'll eventually point your MX record at.

Initial PMG Configuration

Once installed, access the PMG web UI at https://<pmg-ip>:8006. Log in as root with the password you set during install.

Set Your Relay Destination

This is the most important step. PMG needs to know where to forward clean mail.

Navigate to Mail Proxy → Relay Domains and add your domain:

Domain: yourdomain.com Relay Host: 192.168.1.50 (your internal mail server IP) Relay Port: 25

If your mail server runs on a non-standard port (like 587), adjust accordingly. You can add multiple domains if you host email for several of them.

Configure the Network Interfaces

Under Configuration → Network, verify your PMG VM's IP and hostname. PMG uses the same network stack as PVE, so this should already be set from the installer.

Set your DNS resolver here if it wasn't configured correctly. PMG needs working DNS for spam checks — SPF lookups, DNSBL queries, and greylisting all depend on it.

Set Up Relay Networks

Tell PMG which internal IP ranges are allowed to send outbound mail through it without authentication:

Go to Mail Proxy → Networks and add your internal subnets:

192.168.1.0/24 10.0.0.0/8 172.16.0.0/12

Without this, your mail server's outbound relay attempts will be rejected.

Configuring Spam and Virus Filters

SpamAssassin Tuning

PMG ships with SpamAssassin preconfigured, but the default thresholds are conservative. You'll want to tune them for your environment.

Navigate to Mail Proxy → Options:

• Spam Score Threshold (Mark as Spam): Default is 5. Lower it to 3-4 for stricter filtering once you've watched traffic for a week.
• Spam Score Threshold (Block): Default is 10. Start high (15+) and lower gradually as you verify false positive rates.

For Bayesian learning to work, you need to feed SpamAssassin examples. PMG includes a quarantine where held messages live — you can mark false positives/negatives directly from the UI, and SA learns from them.

Enable auto-learning under Configuration → Spam Detector:

Auto-learn Ham Score: -5 Auto-learn Spam Score: 12

This trains the Bayesian filter automatically on clear-cut cases.

ClamAV Updates

ClamAV signature updates run via freshclam. Verify it's running:

systemctl status clamav-freshclam

If it's not running, enable it:

systemctl enable --now clamav-freshclam

Check the ClamAV log to confirm signatures are downloading:

tail -f /var/log/clamav/freshclam.log

You should see daily signature updates. If you're behind a proxy, configure it in /etc/clamav/freshclam.conf.

Greylisting

Greylisting is one of the most effective spam reduction tools available, and PMG has it built in. When an unknown sender tries to deliver mail, PMG returns a temporary 451 error. Legitimate mail servers retry after a few minutes. Spam bots typically don't.

Enable greylisting under Mail Proxy → Greylist. The default delay (5 minutes) and whitelist TTL (60 days) are reasonable starting points.

Expect some first-time delivery delays from new senders — this is normal and expected. Most legitimate senders retry within 1-5 minutes.

DNSBL Configuration

DNS Blocklists check sender IPs against known spam infrastructure databases. PMG supports multiple DNSBL providers.

Under Mail Proxy → Options, you can configure DNSBL lookups. Common free options include:

• zen.spamhaus.org — comprehensive, well-maintained
• bl.spamcop.net — high-volume spam sources
• dnsbl.sorbs.net — additional coverage

Be careful with aggressive DNSBL policies in production — false positives exist, especially with shared hosting IPs.

Writing Custom Filter Rules

PMG's rule engine is where it gets powerful. You can create rules based on sender, recipient, subject, attachments, content, and spam score — and apply actions like quarantine, block, tag, or notify.

Block Dangerous Attachment Types

Navigate to Mail Proxy → Rules and create a new rule:

Name: Block Dangerous Attachments Priority: 90 Direction: In Condition: Attachment Name matches regex: .(exe|bat|cmd|ps1|vbs|js|jar|msi|hta)$ Action: Block

This catches the most common malware delivery vectors before ClamAV even sees them.

Quarantine High-Scoring Spam

Create a rule to quarantine (rather than silently delete) messages with high spam scores:

Name: Quarantine High Spam Priority: 80 Direction: In
Condition: Spam Score >= 8 Action: Quarantine

Users can review quarantined mail through the PMG self-service portal or you can review it as admin under Quarantine → Spam.

Whitelist Internal Senders

If you have automated systems sending mail (monitoring alerts, application notifications), whitelist them to bypass spam checks:

Name: Whitelist Internal Monitoring Priority: 95 Direction: In Condition: Sender matches: alerts@yourdomain.com Action: Accept (no spam check)

Higher priority numbers run first in PMG — set trusted rules at 95+ so they're evaluated before general rules.

Integrating with Your Mail Server

Postfix / Mailcow

If your downstream mail server is Postfix-based, restrict it to only accept mail from PMG's IP. This prevents anyone from bypassing your filter by connecting directly to port 25 on your mail server.

In Postfix's main.cf:

mynetworks = 127.0.0.0/8 192.168.1.x/32

Replace 192.168.1.x with your PMG VM's IP. For Mailcow, set this in the Mailcow admin UI under Configuration → Server Settings → Postfix → mynetworks.

Also consider moving your mail server to a non-standard port internally (e.g., 2525) so port 25 is only exposed on PMG:

inet_interfaces = 192.168.1.50 inet_protocols = ipv4 master.cf: smtp inet n - y - - smtpd 2525 inet n - y - - smtpd

Then in PMG's relay configuration, point to port 2525 instead of 25.

Updating Your MX Record

Once you've verified that PMG can relay mail to your internal server (test with telnet <pmg-ip> 25), update your DNS:

yourdomain.com. MX 10 mail.yourdomain.com.

Change the MX target to point at your PMG VM's public IP (or the hostname that resolves to it). DNS propagation takes up to 48 hours but is often much faster.

During the transition, your old MX record is still active. Mail will split between old and new destinations briefly. Keep both live for 24 hours before removing the old one.

SPF Record Update

Update your SPF record to include PMG as an authorized sender:

yourdomain.com. TXT "v=spf1 ip4: include:_spf.yourdomain.com ~all"

This ensures outbound mail relayed through PMG passes SPF checks at receiving servers.

Monitoring and Maintenance

Dashboard Overview

The PMG dashboard gives you a live feed of mail traffic — messages per hour, spam percentage, virus detections, and delivery success rates. Check it daily when you first deploy; you'll quickly develop a sense of your normal traffic baseline.

Log Review

PMG logs are in /var/log/pmg/. The main log files:

# Real-time mail log
tail -f /var/log/pmg/pmgproxy.log

SMTP transaction log

tail -f /var/log/mail.log

SpamAssassin decisions

tail -f /var/log/pmg/spam.log

For structured log queries, PMG includes a built-in log viewer under Logs → Mail. You can filter by sender, recipient, time range, and action.

Quarantine Management

Set a quarantine retention policy so disk usage doesn't spiral. Under Configuration → Spam Quarantine:

Retention Time: 7 days (adjust based on your disk) Report Schedule: Daily (sends digest to users)

The daily digest email tells users what's in their quarantine and gives them a one-click link to release or delete messages.

Backup PMG Configuration

PMG's configuration lives in /etc/pmg/. Back it up regularly:

# Create a config backup
tar -czf pmg-config-backup-$(date +%Y%m%d).tar.gz /etc/pmg/

Or use Proxmox Backup Server to snapshot the entire VM

Since PMG is just a VM on PVE, you can also use PVE's built-in backup scheduler to take nightly VM backups — this captures the entire system state, not just config files.

Clustering PMG for High Availability

If email uptime is critical, PMG supports multi-node clusters with automatic configuration sync. Add a second PMG node and join it to the cluster:

# On the second PMG node
pmgcm add <primary-pmg-ip> --fingerprint <fingerprint>

Configuration changes made on the primary sync to all cluster members. For true HA, publish both PMG IPs in DNS with equal-priority MX records:

yourdomain.com. MX 10 pmg1.yourdomain.com. yourdomain.com. MX 10 pmg2.yourdomain.com.

Sending servers will try both in round-robin, so either node can accept inbound mail if the other is down.

Common Issues and Fixes

Mail not being delivered to internal server Check that PMG can reach your mail server: telnet <mail-server-ip> 25. Verify the relay domain configuration and that no firewall rule is blocking PMG's IP from reaching your mail server.

Greylisting causing delays for important senders Add them to the greylist whitelist under Mail Proxy → Whitelist. Google, Microsoft, and major ESPs retry quickly anyway, but occasionally a misconfigured sender won't retry correctly.

SpamAssassin not learning Verify the spamd service is running: systemctl status pmg-smtp-filter. Check /var/log/pmg/spam.log for errors. The Bayes database needs at least 200 ham and 200 spam examples before it activates.

High CPU from ClamAV If ClamAV is pegging a CPU core, you may need to allocate more vCPUs or tune clamd.conf to limit concurrent scan threads. For very high-volume environments, consider offloading virus scanning to a dedicated service.

Conclusion

Proxmox Mail Gateway 9 is one of the best free tools you can put in front of a self-hosted mail server. The combination of SpamAssassin, ClamAV, greylisting, DNSBL, and a flexible rule engine blocks the overwhelming majority of spam and malware at the SMTP layer — before it ever touches your mail server's storage or users' inboxes.

Deploying it as a VM on Proxmox VE means you get the full power of PVE's backup scheduler, snapshot capability, and live migration for zero-downtime maintenance. Start with conservative filter thresholds, watch the quarantine for a week, and tighten the screws once you've confirmed false positive rates are acceptable. With Bayesian learning feeding back from your quarantine decisions, the filter improves continuously over time.

If you're already running PMG 8, the upgrade to PMG 9 is straightforward — edit your apt sources, run apt full-upgrade, and reboot. The in-place upgrade path works reliably, just like PVE's own major version upgrades.